Headline
CVE-2021-46038: untrusted pointer dereference in unlink_chunk.isra · Issue #2000 · gpac/gpac
A Pointer Dereference vulnerability exists in GPAC 1.0.1 in unlink_chunk.isra, which causes a Denial of Service (context-dependent).
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- [Yes ] I looked for a similar issue and couldn’t find any.
- [ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- [ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Version:
command:
./bin/gcc/MP4Box -hint POC2
POC2.zip
Result
bt
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff754da2f in unlink_chunk (p=p@entry=0x5555555e1480, av=0x7ffff76a0b80 <main_arena>) at malloc.c:1453
1453 malloc.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[ REGISTERS ]
RAX 0x14000007a0
RBX 0x7ffff76a0b80 (main_arena) ◂— 0x0
RCX 0x14000007a5
RDX 0x7ffff76a10b0 (main_arena+1328) —▸ 0x7ffff76a10a0 (main_arena+1312) —▸ 0x7ffff76a1090 (main_arena+1296) —▸ 0x7ffff76a1080 (main_arena+1280) —▸ 0x7ffff76a1070 (main_arena+1264) ◂— ...
RDI 0x5555555e1480 ◂— 0x8013f76a1f74
RSI 0x4000
R8 0x7ffff76a0c10 (main_arena+144) —▸ 0x7ffff76a0c00 (main_arena+128) —▸ 0x5555555e0f10 ◂— 0x1400000014
R9 0x0
R10 0x7ffff7e0e94e ◂— ' but no data reference entry found\n'
R11 0x7ffff76a0be0 (main_arena+96) —▸ 0x5555555e69e0 ◂— 0x0
R12 0x1400000760
R13 0x40
R14 0x14000007a0
R15 0x2
RBP 0x38
RSP 0x7fffffff7e30 —▸ 0x5555555e2a00 ◂— 0x1473746383
RIP 0x7ffff754da2f (unlink_chunk.isra+15) ◂— cmp rax, qword ptr [rdi + rax]
[ DISASM ]
► 0x7ffff754da2f <unlink_chunk.isra+15> cmp rax, qword ptr [rdi + rax]
0x7ffff754da33 <unlink_chunk.isra+19> jne unlink_chunk.isra+191 <unlink_chunk.isra+191>
↓
0x7ffff754dadf <unlink_chunk.isra+191> lea rdi, [rip + 0x11f954]
0x7ffff754dae6 <unlink_chunk.isra+198> call malloc_printerr <malloc_printerr>
0x7ffff754daeb <unlink_chunk.isra+203> lea rdi, [rip + 0x123756]
0x7ffff754daf2 <unlink_chunk.isra+210> call malloc_printerr <malloc_printerr>
0x7ffff754daf7 nop word ptr [rax + rax]
0x7ffff754db00 <malloc_consolidate> push r15
0x7ffff754db02 <malloc_consolidate+2> lea rax, [rdi + 0x60]
0x7ffff754db06 <malloc_consolidate+6> mov r15, rdi
0x7ffff754db09 <malloc_consolidate+9> push r14
[ STACK ]
00:0000│ rsp 0x7fffffff7e30 —▸ 0x5555555e2a00 ◂— 0x1473746383
01:0008│ 0x7fffffff7e38 —▸ 0x7ffff7550773 (_int_malloc+2947) ◂— cmp r12, 0x1f
02:0010│ 0x7fffffff7e40 —▸ 0x5555555e1480 ◂— 0x8013f76a1f74
03:0018│ 0x7fffffff7e48 —▸ 0x7ffff76a0be0 (main_arena+96) —▸ 0x5555555e69e0 ◂— 0x0
04:0020│ 0x7fffffff7e50 —▸ 0x7fffffff7e60 ◂— 0x38 /* '8' */
05:0028│ 0x7fffffff7e58 ◂— 0xdab84f8dc31ec400
06:0030│ 0x7fffffff7e60 ◂— 0x38 /* '8' */
07:0038│ 0x7fffffff7e68 ◂— 0x4
[ BACKTRACE ]
► f 0 0x7ffff754da2f unlink_chunk.isra+15
f 1 0x7ffff7550773 _int_malloc+2947
f 2 0x7ffff75522d4 malloc+116
f 3 0x7ffff78c17d2 co64_box_new+18
f 4 0x7ffff78f8aa9 gf_isom_box_new+153
f 5 0x7ffff791009c shift_chunk_offsets.part+284
f 6 0x7ffff79103a7 inplace_shift_moov_meta_offsets+231
f 7 0x7ffff7910e3c inplace_shift_mdat+732